# SAML Authentication

SAML SSO allows your team to authenticate with sfp using your corporate identity provider (Azure AD/Entra ID, Okta, Google Workspace, etc.).

## V3 and later

Starting with V3, SAML SSO is enabled by default on all self-hosted deployments. No manual `.env` editing, Docker Compose changes, or Kong configuration is required.

| What's automated       | How                                          |
| ---------------------- | -------------------------------------------- |
| SAML signing key       | Auto-generated during `sfp server init`      |
| SAML enabled           | Default `true` in Docker Compose             |
| Kong SSO routes        | Included by default                          |
| Caddy auth routing     | `/auth/v1/*` routed to GoTrue automatically  |
| SSO provider detection | Auto-detected from DB after API registration |
| User SSO linking       | Automatic when provisioning users via API    |

The only manual steps are:

1. Configure your IdP (Azure AD, Okta, etc.)
2. Register the IdP via the sfp API
3. Provision users

## Setup Guides

* [Self-Hosted SAML SSO](https://docs.flxbl.io/flxbl/sfp-server/setting-up/saml-authentication/configuring-entra-id-saml-sso-with-self-hosted-supabase) — For self-hosted deployments (`sfp server init`)
* [Cloud SAML SSO](https://docs.flxbl.io/flxbl/sfp-server/setting-up/saml-authentication/configuring-entra-id-saml-sso-with-supabase-cloud) — For cloud-hosted deployments using global auth